The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has far-reaching implications for medical offices and the various organizations with which they interact. We all recognize that patient privacy is important, but in many cases HIPAA violations simply occur when healthcare providers often overlook some of the gaps in the processes and tools they use to manage patient information. Here are some tips for making sure your medical office is doing everything possible to remain HIPAA compliant.
Although the title “HIPAA Officer” might sound very formal, it doesn’t need to be intimidating. The key message here is that HIPAA compliance should have a primary owner, – someone who has ultimate responsibility for making sure that the tools, processes, and training in your workplace are designed with patient privacy in mind. The HIPAA Officer at your workplace will presumably have other responsibilities. The best candidate for this position is someone who has visibility to the various workflows in your organization, such as an office manager. That person’s job descriptions should include staying up to date with key developments relating to HIPAA, periodically reviewing the tools and processes used in managing patient information, and ensuring that all employees have the proper training. Your HIPAA Officer must also have the authority and the resources necessary to do a thorough job.
Are your existing policies relating to patient privacy adequate? When was the last time they were reviewed? Has your medical office undergone any significant changes that might necessitate changes to your policies? If some of your office staff has shifted to remote work as a result of COVID, for example, then you probably need to review your policies and procedures. If an employee is receiving protected health information (PHI) via e-mail that they access from a home computer, then you might be putting patient information at risk. There are other risks as well; phone conversations from a home office setting might be inadvertently overheard. Any major changes in workplace procedures should be examined through a lens of patient privacy. A periodic review of policies and procedures will help to identifying these kinds of risks and address them from the outset.
Technology has greatly improved efficiency, allowing for a rapid exchange of information between healthcare providers. But technology must always be viewed with patient privacy in mind. Many of the tools that we use every day have some level of risk associated with them. We don’t necessarily think much about it when we’re sending a friendly e-mail to a family member; but if our e-mails contain protected health information it’s important to understand the potential risks and do everything possible to minimize them. If you’re using an e-mail client such as Outlook, a copy of your e-mail is stored on your local hard drive. Another copy is retained by the e-mail server that you connect to when you hit “send”. Document attachments viewed on an employee’s personal computer might be stored on that user’s hard drive as well, and could be visible to that person’s family members. If mobile devices are used for sending and receiving patient information, policies and procedures must be considered to protect PHI. Many healthcare providers have chosen to rely on secure cloud-based HIPAA compliant fax because of its high levels of security. As a healthcare provider, you’re ultimately responsible for keeping PHI secure. All technology used in your medical office needs to be seen as a potential risk.
While technology is a key risk, there are other “low-tech” gaps as well. Review your telephone procedures. Are employees trained to verify a caller’s identity before giving out information by phone? Is a system in place to verify that a patient has given permission to share their PHI with a third party? Then there is the problem of paper-based documents. Filing cabinets must be in a secure area and should be locked when no one is present to monitor activity in that area. HIPAA compliant paper shredders are important as well, so that documents can be destroyed when hard copy is no longer needed. Better yet, consider reducing your reliance on hard copy documents altogether. Many medical offices are using cloud fax services to achieve that.
Employees should go through HIPAA training as part of their workplace orientation, and at least once a year after that. Whenever new systems or policies are implemented, your team should be trained to understand how HIPAA compliance factors into the process. Document the training by recording the dates and times, which employees participated, and what kind of training was delivered. Employees should be asked to sign a statement acknowledging that they understand HIPAA-related policies and procedures.
Any vendors that create, maintain, receive or transmit PHI should sign a business associate agreement (BAA). That includes cloud service providers (web, fax, & e-mail services, for example), and billing, transcription, and shredding companies. Legally, it’s your responsibility to make sure those vendors understand their obligation to safeguard PHI and agree to take the necessary measures to protect it. Look for businesses who thoroughly understand HIPAA compliance and have taken the necessary measures for both technical and physical security of patient information.
HIPAA compliance can sometimes be confusing, and mistakes can be costly. To protect your patients and avoid compliance penalties, work with technology companies that understand HIPAA compliance and have developed world-class security to ensure that information is protected. To learn more about WestFax’s HIPAA-compliant Healthcare Fax, contact us at (800) 473-6208, or via e-mail at email@example.com